Security for VPNs with IPsec Configuration Guide, Cisco IOS Release
15S
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS,
INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITEDWARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH
THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY,
CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB's public domain version
of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
NOTWITHSTANDINGANYOTHERWARRANTYHEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS"WITH ALL FAULTS.
CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF
MERCHANTABILITY, FITNESS FORA PARTICULAR PURPOSEANDNONINFRINGEMENTORARISING FROMACOURSEOFDEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT
LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS
HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network
topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional
and coincidental.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: http://
www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership
relationship between Cisco and any other company. (1110R)
© 2017 Cisco Systems, Inc. All rights reserved.
http://www.cisco.com/go/trademarks
http://www.cisco.com/go/trademarks
C O N T E N T S
C H A P T E R 1 Configuring Security for VPNs with IPsec 1
Finding Feature Information 1
Prerequisites for Configuring Security for VPNs with IPsec 2
Restrictions for Configuring Security for VPNs with IPsec 2
Information About Configuring Security for VPNs with IPsec 3
Supported Standards 3
Supported Switching Paths, and Encapsulation 5
Supported Hardware 5
VPN Accelerator Module Support 5
AIMs and NM Support 5
Supported Switching Paths 7
Supported Encapsulation 7
IPsec Functionality Overview 8
IKEv1 Transform Sets 8
IKEv2 Transform Sets 8
IPsec Traffic Nested to Multiple Peers 9
Crypto Access Lists 9
Crypto Access List Overview 9
When to Use the permit and deny Keywords in Crypto Access Lists 10
Mirror Image Crypto Access Lists at Each IPsec Peer 12
When to Use the any Keyword in Crypto Access Lists 13
Transform Sets: A Combination of Security Protocols and Algorithms 13
About Transform Sets 13
Cisco IOS Suite-B Support for IKE and IPsec Cryptographic Algorithms 15
Suite-B Requirements 16
Where to Find Suite-B Configuration Information 16
Crypto Map Sets 17
About Crypto Maps 17
Security for VPNs with IPsec Configuration Guide, Cisco IOS Release 15S
iii
Load Sharing Among Crypto Maps 18
Crypto Map Guidelines 18
Static Crypto Maps 19
Dynamic Crypto Maps 19
Dynamic Crypto Maps Overview 19
Tunnel Endpoint Discovery 20
Redundant Interfaces Sharing the Same Crypto Map 22
Establish Manual SAs 23
How to Configure IPsec VPNs 23
Creating Crypto Access Lists 23
What to Do Next 24
Configuring Transform Sets for IKEv1 and IKEv2 Proposals 24
Restrictions 25
Configuring Transform Sets for IKEv1 25
What to Do Next 26
Configuring Transform Sets for IKEv2 27
Transform Sets for IKEv2 Examples 28
What to Do Next 29
Creating Crypto Map Sets 29
Creating Static Crypto Maps 29
Troubleshooting Tips 32
What to Do Next 32
Creating Dynamic Crypto Maps 32
Troubleshooting Tips 36
What to Do Next 36
Creating Crypto Map Entries to Establish Manual SAs 36
Troubleshooting Tips 39
What to Do Next 39
Applying Crypto Map Sets to Interfaces 39
Configuration Examples for IPsec VPN 41
Example: Configuring AES-Based Static Crypto Map 41
Additional References 42
Feature Information for Configuring Security for VPNs with IPsec 44
C H A P T E R 2 IPsec Virtual Tunnel Interfaces 47
Security for VPNs with IPsec Configuration Guide, Cisco IOS Release 15S
iv
Contents
Finding Feature Information 47
Restrictions for IPsec Virtual Tunnel Interfaces 48
Information About IPsec Virtual Tunnel Interfaces 48
Benefits of Using IPsec Virtual Tunnel Interfaces 48
Static Virtual Tunnel Interfaces 49
Dynamic Virtual Tunnel Interfaces 49
Dynamic Virtual Tunnel Interface Life Cycle 50
Routing with IPsec Virtual Tunnel Interfaces 51
Traffic Encryption with the IPsec Virtual Tunnel Interface 51
How to Configure IPsec Virtual Tunnel Interfaces 52
Configuring Static IPsec Virtual Tunnel Interfaces 52
Configuring Dynamic IPsec Virtual Tunnel Interfaces 54
Configuration Examples for IPsec Virtual Tunnel Interfaces 56
Example: Static Virtual Tunnel Interface with IPsec 56
Example: Verifying the Results for the IPsec Static Virtual Tunnel Interface 58
Example: VRF-Aware Static Virtual Tunnel Interface 59
Example: Static Virtual Tunnel Interface with QoS 59
Example: Static Virtual Tunnel Interface with Virtual Firewall 60
Example: Dynamic Virtual Tunnel Interface Easy VPN Server 61
Example: Verifying the Results for the Dynamic Virtual Tunnel Interface Easy VPN
Server 62
Example: Dynamic Virtual Tunnel Interface Easy VPN Client 62
Example: Verifying the Results for the Dynamic Virtual Tunnel Interface Easy VPN
Client 63
Example: VRF-Aware IPsec with Dynamic VTI 64
Example: Dynamic Virtual Tunnel Interface with Virtual Firewall 64
Example: Dynamic Virtual Tunnel Interface with QoS 65
Additional References for IPsec Virtual Tunnel Interface 66
Feature Information for IPsec Virtual Tunnel Interfaces 67
C H A P T E R 3 SafeNet IPsec VPN Client Support 71
Finding Feature Information 71
Prerequisites for SafeNet IPsec VPN Client Support 72
Restrictions for SafeNet IPsec VPN Client Support 72
Information About SafeNet IPsec VPN Client Support 72
Security for VPNs with IPsec Configuration Guide, Cisco IOS Release 15S
v
Contents
ISAKMP Profile and ISAKMP Keyring Configurations Background 72
Local Termination Address or Interface 72
Benefit of SafeNet IPsec VPN Client Support 73
How to Configure SafeNet IPsec VPN Client Support 73
Limiting an ISAKMP Profile to a Local Termination Address or Interface 73
Limiting a Keyring to a Local Termination Address or Interface 74
Monitoring and Maintaining SafeNet IPsec VPN Client Support 75
Examples 76
debug crypto isakmp Command Output for an ISAKMP Keyring That IsBound to
Local Termination Addresses Example 76
debug crypto isakmp Command Output for an ISAKMP ProfileThat Is Boundto
a Local Termination Address Example 76
show crypto isakmp profile Command Output Example 77
Troubleshooting SafeNet IPsec VPN Client Support 77
Configuration Examples for SafeNet IPsec VPN Client Support 77
ISAKMP Profile Bound to a Local Interface Example 77
ISAKMP Keyring Bound to a Local Interface Example 77
ISAKMP Keyring Bound to a Local IP Address Example 78
ISAKMP Keyring Bound to an IP Address and Limited to a VRF Example 78
Additional References 78
Related DocumentsStandards 78
MIBs 79
RFCs 79
Technical Assistance 79
C H A P T E R 4 Crypto Conditional Debug Support 81
Finding Feature Information 81
Prerequisites for Crypto Conditional Debug Support 82
Restrictions for Crypto Conditional Debug Support 82
Information About Crypto Conditional Debug Support 82
Supported Condition Types 82
How to Enable Crypto Conditional Debug Support 83
Enabling Crypto Conditional Debug Messages 83
Performance Considerations 83
Disable Crypto Debug Conditions 84
Security for VPNs with IPsec Configuration Guide, Cisco IOS Release 15S
v
